CERT-UA warns of increasing cyberattacks against accountant

The level of threat to accountants is growing

The CERT-UA, which operates under the State Special Communications Service, warns of a significant increase in the number of cyberattacks related to the activities of the financially motivated group UAC-0006.

Since May 20, 2024, CERT-UA experts have detected two large-scale campaigns to spread SMOKELOADER malware.

How infection occurs

Attackers send out emails containing ZIP archives with dangerous content:

  • IMG files that contain EXE files with malicious code;
  • ACCDB documents (Microsoft Access) with macros that execute PowerShell commands to download and run EXE files.

After infection, other malicious programs such as TALESHOT and RMS are downloaded to the computer.

Currently, the UAC-0006 botnet includes several hundred infected computers. There is a high probability that in the near future the attackers will intensify fraudulent schemes using remote banking systems.

Після зараження на комп'ютер довантажуються інші шкідливі програми, такі як TALESHOT та RMS

What to do

CERT-UA calls on business leaders to take urgent measures to improve the cybersecurity of automated workplaces for accountants:

  • check computers for indicators of compromise;
  • Implement the necessary policies and protection mechanisms.

The UAC-0006 group ranks first among cybercriminals in the financial sector in terms of activity. The goal of the criminals is to steal funds from the accounts of Ukrainian enterprises using malware on a particularly large scale.

There are cases when computers with millions of payments do not even have an antivirus program. The CERT-UA article describes the attackers’ methods in more detail.

Between August and October 2023, the group has repeatedly attempted to steal tens of millions of hryvnias.


Please enter your comment!
Please enter your name here